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and  formal  verification* 

Sergei  N.  Artemov  t 


Abstract 

The  basic  properties  of  soundness,  extensibility,  and  stability  required  from  a  verifica¬ 
tion  system  V  taken  in  full  yield  the  necessity  of  having  a  reflection  rule  in  every  such  V. 
However,  the  reflection  rule  based  on  the  Godel  provability  predicate  (implicit  provability 
predicate)  leads  to  a  “reflection  tower”  of  theories  which  cannot  be  formally  verified. 

The  paper  introduces  an  explicit  reflection  mechanism  which  can  be  verified  inside 
the  system.  This  circumvents  the  reflection  tower  and  provides  a  strict  justification  for 
the  verification  process.  On  the  practical  side,  the  paper  gives  specific  recommendations 
concerning  the  verification  of  inference  rules  and  building  a  verifiable  reflection  mechanism 
for  a  theorem  proving  system. 


1  Introduction 

There  Is  a  large  variety  of  theorem  provers  and  proof  checkers  which  can  be  used  for  verification 
(cf.  [8],  [1],  [11]).  The  mathematical  counterparts  of  those  systems  range  from  first  order  logic 
(e.g.  in  FOL)  and  certain  fragments  of  first  order  arithmetic  to  higher  order  logic  (HOL),  the 
systems  with  powerful  principles  sufficient  to  accommodate  most  of  the  classical  mathematics 
(Mizar)  and  most  of  the  computational  and  constructive  tools  (Nuprl).  The  underlying 
logic  of  such  systems  can  be  either  classical  or  intuitionistic. 

In  this  paper  we  assume  that 


The  degree  of  confidence  in  a  fact  verified  by  a  certain  system  is  not  higher  than 
the  degree  of  confidence  in  the  system  itself. 

Technical  Report  CFIS  98-16,  Cornell  University.  Lecture  notes  of  the  talk  given  by  the  author  at  the 
PRL  Seminar  of  the  Department  of  Computer  Science,  Cornell  University,  on  November  24,  1998. 
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to  Intelligent  Systems”,  grant  DAAH04-96-1-0341,  by  DARPA  under  program  LPE,  project  34145,  and  by  the 
Russian  Foundation  for  Basic  Research,  grant  96-01-01395. 
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This  paradigm  yields  the  necessity  to  keep  an  account  of  the  tools  used  in  a  given  verification 
process.  This  includes  the  verification  system  V  itself  along  with  an  exact  description  of  the 
set  of  all  metamathematical  assumptions  M  made  in  the  process  of  verification.  Therefore, 
the  set  of  beliefs  which  the  verification  is  based  upon  should  include  V  U  M.  Without  loss 
of  generality  we  assume  in  this  paper  that  a  metatheory  Ai  of  a  given  verification  system  V 
contains  V,  therefore,  V  U  M—M 

For  example,  suppose  we  want  to  verify  a  statement  F  by  means  of  the  first  order 
arithmetic  VA  (i.e.  V  =  VA).  One  of  the  possible  ways  to  put  this  problem  on  a  for¬ 
mal  setting  is  to  say  that  our  goal  consists  in  establishing  that  VA  b  Provable(F) , 
where  Provable  (F)  is  a  formal  statement  saying  that  “F  is  provable  by  certain 
formal  tools”.  Suppose  that  we  have  established  that  ZT  b  Provable  (F),  where 
ZT  is  the  Zermelo-Frenkel  set  theory  (a  much  stronger  theory  than  VA) .  This 
corresponds  to  a  realistic  situation  when  a  verifier  uses  the  power  of  all  of  mathe¬ 
matics,  not  only  the  elementary  methods  formalizable  in  VA.  Here  is  the  sketch  of 
the  standard  metamathematical  argument  which  under  certain  assumptions  about 
ZT  concludes  that  in  fact  VA  b  Provable  (F):  assume  that  ZT  is  w-consistent  (cf. 

[14], [7], [15]);  since  Provable(F)  is  an  arithmetical  Si  statement,  this  yields  that 
Provable(F)  is  true  and,  by  the  Ei-completeness  of  VA,  VA  b  Provable(F) .  On 
the  one  hand,  we  have  succeeded  in  establishing  that  VA  b  Provable(F).  On  the 
other  hand,  at  the  metalevel  of  this  argument  we  have  used  the  power  of  ZT  and 
even  the  assumption  of  ^-consistency  of  ZT.  A  total  account  of  the  beliefs  in¬ 
volved  in  this  verification  process  should  include  this  assumption,  which,  by  the 
way,  has  never  been  and  could  not  possibly  be  proven  by  any  usual  consistent 
mathematical  means1. 

In  this  paper  we  will  try  to  demonstrate  the  following  three  points: 

1.  Some  form  of  the  reflection  rule  is  a  necessary  part  of  an  extendable  verification  system. 
This  will  emerge  as  a  natural  corollary  of  the  basic  soundness,  extensibility,  and  stability 
assumptions  (cf.  [8])  about  a  verification  system. 

2.  The  traditional  reflection  based  on  the  implicit  provability  predicate  cannot  be  verified  in 
full.  It  is  well-known  that  even  if  the  implicit  reflection  is  a  valid  rule  in  a  given  system  V,  its 
verification  cannot  be  made  inside  V  (cf.  [8],  [12],  [1],  [11]).  The  present  paper  demonstrates 
that  the  natural  metatheory  of  the  “reflection  tower”  of  the  implicit  reflection  rules  is  not 
computably  enumerable  and  subsumes  all  true  ni-sentences.  If  one  takes  into  account  these 
hidden  metamathematical  costs,  then  within  the  theory  of  implicit  provability  the  verification 
goal  of  establishing  a  fact  F  in  V  by  formally  verifying  in  V  a  proof  of  F  is  not  achievable. 

1 A  better  way  to  present  the  verification  solution  from  this  example  would  be  to  simply  admit  that  we  are 
doing  the  verification  in  V  =  ZT  and  thus  to  restrict  the  set  of  beliefs  to  ZT. 
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3.  There  is  a  new  reflection  mechanism:  “explicit  reflection”  (introduced  in  the  present 
paper),  which  is  verifiable  in  the  system  itself.  The  explicit  reflection  circumvents  the  reflection 
tower  and  provides  the  strict  justification  of  verification.  Explicit  reflection  requires  more 
information  in  order  to  certify  the  premises  of  the  reflection  rule.  However,  this  additional 
information  are  usually  available  in  real  processes  of  verification;  the  old  implicit  provability 
model  just  has  not  had  a  mechanism  of  its  utilisation. 

On  the  theoretical  side,  this  paper  provides  a  foundational  justification  of  the  verification 
process.  On  the  practical  side,  the  paper  gives  specific  recommendations  concerning  the 
verification  of  the  admissible  rules  and  building  a  verifiable  reflection  mechanism  for  a  theorem 
proving  system. 

2  Verification  systems 


2.1  Definition.  Under  a  verification  system  V  we  will  understand  a  formal  theory  satisfying 
the  following  conditions  a)  -  d): 

a)  The  underlying  logic  of  V  is  either  classical  or  intuitionistic. 

b)  Proofhood  in  V  is  decidable,  therefore  theoremhood  in  V  is  computably  enumerable. 
Note  that  by  the  well-known  Craig  Theorem  the  former  follows  from  the  latter  for  an  appro¬ 
priate  choice  of  axiom  system. 

c)  V  is  strong  enough  to  represent  any  computable  function  and  decidable  relation.  In 
particular,  given  a  decidable  relation  R(x)  one  can  construct  a  formula  lZ(x)  of  V  such  that 
for  any  closed  terms  t 

“i?(t)”  implies  V  t-  TZ(t)  and  “not  R(t)"  implies  V  I — 

d)  V  has  some  sort  of  a  numeration  of  syntax  mechanism  in  the  style  of  [8],  [1].  In  par¬ 
ticular,  there  is  an  injective  function  rep  which  maps  syntactic  objects  like  terms,  formulas, 
finite  sequences  of  formulas,  sequents,  finite  trees  labeled  by  sequents,  derivation  trees,  etc., 
into  standard  ground  terms  of  V.  The  usual  notation  used  in  this  case  is  rs-1  =  rep(s).  The 
function  rep  and  its  inverse  are  both  computable.  We  assume  that  V  is  able  to  derive  formal¬ 
izations  of  “usual”  combinatory  properties  of  the  syntactic  objects  at  a  level  corresponding 
to  the  first  order  intuitionistic  arithmetic  “HA. 

It  follows  from  b)  and  c)  that  there  is  a  total  computable  function  which  given  R(t)  returns 
a  proof  of  7Z(t)  in  the  former  case,  and  a  proof  of  ->7 Z(t)  in  the  latter  case.  For  the  sake  of 
notational  simplicity  we  will  use  the  same  names  for  the  informal  objects  (relations,  func¬ 
tions,  numbers)  and  for  their  formal  counterparts  (formulas,  terms,  ground  terms)  whenever 
unambiguous. 
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Examples  of  verification  systems:  the  first  order  arithmetic  VA\  the  first  order  intuitionistic 
arithmetic  HA  and  its  extensions;  second  order  arithmetic;  Martin-Lof  type  theory  1/  7  ; 
formal  set  theory  ZT\  etc.  Note  that  all  the  above  conditions  on  V  have  a  purely  constructive 
syntactic  character.  We  have  assumed  neither  semantic  properties  of  V  (e.g.  soundness  with 
respect  to  some  semantics)  ,  nor  metamathematical  ones  (consistency,  ^-consistency,  etc.). 

2.2  Definition.  For  any  verification  system  V  there  is  a  provably  decidable  (i.e.  from  Ax) 
formula  Proof  (x^y)  of  V  (called  a  proof  predicate)  obtained  by  a  natural  formalization  of  the 
inductive  definition  of  derivation  in  V  (cf.  [9],  [8],  [1]).  In  particular,  Proof  ,r  yp)  holds  iff 
V  is  a  proof  of  <p  in  V.  The  Godel  provability  predicate  Provable(y)  is  defined  as  3xProof(x,  y) . 
We  will  use  the  notation  for  Provable (r(pn)  and  \p\<p  for  Proof  (p,  r(pn).  For  any  finite  set 
of  V-formulas  T  by  DT  we  mean  the  conjunction  of  D^’s  for  all  ip  6  I\ 

2.3  Definition.  The  consistency  formula  Consis(V)  is  defined  as  where  J_  is  the 

standard  false  formula  in  V.  The  informal  meaning  of  Consis(V)  is  that  there  is  no  a  proof  of 
false  in  V:  this  is  one  of  the  equivalent  formulations  of  the  consistency  assertion  of  V  in  the 
language  of  V. 

We  will  refer  to  the  provability  predicate  □(•)  as  the  implicit  provability  predicate .  The 
reason  for  choosing  this  name  lies  in  the  fact  that  in  the  formula  D<p  (i.e.  3 xProof(x,ripn)) 
the  proof  is  represented  implicitly  by  the  existential  quantifier,  which  does  not  provide  any 
specification  of  this  proof. 

The  implicit  provability  predicate  has  been  studied  extensively  since  its  invention  by  Godel 
in  1930.  The  milestone  results  here  are  the  second  Godel  incompleteness  theorem  (cf.  [14], 
[7])),  which  states  that 


IfV  is  consistent ,  then  I /  Consis(V ), 
and  the  Lob  theorem  which  says  that 

V  h  □  implies  Vhy?. 

By  the  well-known  Hilbert-Bernays  lemma  (cf.  [14], [7]), 

V  b  (p  implies  V  b  □<£>. 

This  lemma  can  be  considered  as  a  justification  of  the  formalization  rule  for  V  ,  which 

states  that  every  proof  in  V  can  be  formalized  in  V.  The  proof  of  the  formalization  rule  is 
purely  syntactic  and  does  not  involve  any  extra  assumptions  about  V.  Moreover,  this  rule 
can  be  formalized  and  proven  inside  V  (cf.  [14],  [7]): 

V  b  Dcp  — y  DD(p. 
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Below  we  will  use  one  more  fact  about  the  provability  operator  □,  usually  attributed  to 
Hilbert,  Bernays  and  Lob  (cf.[14],[7]): 

V  h  □  {p-^iji)  -f  {Op— *Oip). 

3  Stability  requires  reflection 

The  basic  properties  required  from  a  verification  system  are  soundness,  extensibility,  and 
stability  ([8]).  We  will  discuss  soundness  in  Section  4.  Extensibility  and  stability  will  appear 
in  this  section  below. 

3.1  Definition.  A  rule  of  inference  R  in  the  language  of  V  is  a  computable  function  from  a 
decidable  set  of  finite  sets  of  V-formulas  to  the  set  of  V-formulas.  The  usual  notation  for  a  rule 
of  inference  R  is  Y/p,  where  T  indicates  the  argument  of  R  (premises),  and  p  the  value  7?(F) 
of  R  (conclusion) .  For  the  sake  of  notational  convenience  we  will  not  distinguish  between  a 
finite  set  of  formulas  T  and  one  formula  which  is  the  conjunction  of  all  formulas  from  T  when 
unambiguous.  We  would  like  to  think  that  such  an  abuse  of  notation  will  be  tolerated  by  a 
reader. 


3.2  Definition.  A  rule  of  inference  Y/p  is  derived  in  V  if  V  h  T  — >  p. 
A  rule  of  inference  Y/p  is  implicitly  verified  in  V  if  V  h  DT  -4  Op. 

A  rule  r Ip  is  admissible  in  V  if  V  H  Y  implies  V  h  p. 


3.3  Lemma. 

1.  Every  derived  rule  is  implicitly  verified,  but  not  vice  versa. 

2.  Every  derived  rule  is  admissible,  but  not  vice  versa. 

Proof.  1.  Let  V  h  T  — )•  p.  By  the  formalization  rule,  V  I-  D(r  -¥  p).  By  the  properties 
of  provability  operator  (Section  2),  V  I-  or  — >  Op.  Here  are  examples  of  implicitly  verified 
rules  that  are  not  derivable:  pfixp  ( generalization ),  p/Op  ( formalization ),  Op—^p/p  [Lob’s 
rule),  -!->cr)/<7,  where  <r  is  a  Sj  sentence  ( Markov  rule  for  intuitionistic  arithmetic  'HA,  cf. 
[16]). 

2.  If  V  h  T  — ►  p  and  V  h  T,  then  V  \~  p.  The  rules  generalization ,  formalization,  Lob’s 
rule,  Markov  rule  from  above  are  all  admissible  but  not  derived. 

◄ 

The  extensibility  property  of  V  is  understood  ([8])  as  a  technical  possibility  to  extend  V  by 
adding  rules  of  inference  verified  in  V.  We  accept  the  understanding  of  stability  as  conserva- 
tivity  of  extensions  by  implicitly  verified  rules  (cf.  [1],  [11]). 
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3.4  Definition.  System  V'  3  V  is  conservative  over  V  if  for  any  formula  ip 

V'  i-  ip  implies  V  I-  ip. 

A  system  V  is  implicitly  stable  if  for  any  rule  T/p  implicitly  verified  in  V  the  system  V  +  T/p 
is  conservative  over  V. 


3.5  Definition.  The  implicit  reflection  rule  IRR(V)  is  the  rule  Op/p  where  Op  represents 
the  provability  of  p  in  V. 


3.6  Example.  Here  is  the  standard  example  of  a  formal  theory  for  which  the  implicit 
reflection  rule  does  not  hold  ([9]):  V  =  VA  + -» Consis(VA).  This  system  is  consistent,  i.e. 
VI /  -L.  On  the  other  hand  V  h  □  where  □  stands  for  provability  in  this  particular  V. 


3.7  Theorem.  A  verification  system  V  is  implicitly  stable  iff  the  implicit  reflection  rule 
IRR(V)  is  admissible  in  V. 

Proof.  Let  V  be  an  implicitly  stable  system.  Let  us  consider  the  rule  Rip  consisiting  of 
a  single  pair  ( TRUE,p ),  where  TRUE  is  the  propositional  constant  for  true  statements  in 
V.  Since  V  h  TRUE,  we  also  have  V  h  □  (TRUE).  By  implicit  stability  of  V,  for  all  ip,  ip  if 

V  h  O(TRUE)  — f  Dip  and  V  +  TRUE/ ip  h  ip,  then  V  h  ip.  Equivalently,  for  all  ip,  ip  if  V  I-  Op 
and  V  +  <p  h  ip,  then  VI ~  ip.  Let  ip  be  ip.  Then  V  h  Op  implies  VI -ip  for  all  ip,  therefore 
IRR(V)  is  admissible  in  V. 

Let  now  IRR{V)  be  admissible  in  V,  i.e.  V  h  Op  implies  V  \~  <p,  and  let  T/p  be  an 
implicitly  verified  rule,  i.e.  V  h  OT  ->•  Op.  By  an  induction  on  the  derivation  in  V  +  T/p  we 
prove  that  V  +  T/p  h  ip  implies  V  h  ip.  The  induction  basis  holds  because  V  and  V  +  T/p 
have  the  same  set  of  axioms.  The  induction  step  in  the  case  of  a  rule  other  than  T/p  is 
trivial.  Let  ip  be  obtained  in  V  -\-T/p  by  the  rule  T/p,  i.e.  there  is  specific  Ti  such  that  T j /ip 
is  a  special  case  of  the  rule  T/p  and  V  +  T/<pl-ri.  By  the  induction  hypothesis,  V  h  Tj. 
By  the  formalization  rule  in  V,  V  I-  OTi.  Since  the  rule  T/p  is  implicitly  verified,  we  have 

V  I-  OTt  -+  □  ip,  therefore  V  h  Cty.  By  the  rule  IRR{V),  V  h  ip. 

< 

Extensibility  by  derived  rules  however,  can  be  verified  inside  the  system  without  any  additional 
assumptions. 

3.8  Theorem.  An  extension  of  a  verification  system  V  by  a  derived  rule  is  provably  in  V 
conservative. 
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Proof.  The  following  argument  can  be  formalized  in  V.  Let  V  h  T— and  V'  —  V  4-  F/y?. 
By  the  induction  on  a  proof  in  V'  similar  to  the  one  from  the  proof  of  Theorem  3.7  we  show 
that  for  any  formula  ip  if  V'  b  ip,  then  V  h  ip.  We  consider  the  most  important  case  in  the 
induction  step.  Let  ip  be  obtained  in  V  +  T/ip  by  the  rule  T/<p,  i.e.  there  is  specific  Ti  such 
that  Ti/ip  is  a  special  case  of  the  rule  r ftp  and  V  +  T/<p  h  Ti.  By  the  induction  hypothesis, 
V  H  Ti.  Since  V  I-  Tj  -tip,  we  got  VI -  ip. 

◄ 


3.9  Comment.  Nuprl  has  the  mechanism  of  tactics  based  on  the  extension  by  the  derived 
rules.  As  we  see  from  3.8,  this  mechanism  can  be  justified  inside  the  system  as  does  not 
need  any  additional  assumptions.  Although  correct  this  mechanism  is  not  as  general  as  the 
extensions  by  verified  rules  (cf.  Lemma  3.3(2)). 


4  Metamathematical  cost  of  soundness  and  implicit  stability 

In  this  section  we  will  find  lower  and  upper  bounds  for  the  minimal  metatheory  M  capable 
of  establishing  soundness  and  stability  of  a  given  verification  system  V. 

We  will  use  the  Turing  progression  as  the  standard  scale  to  measure  the  metamathematical 
strength  of  a  given  extension  of  the  basic  theory  ([13]).  The  Turing  progression  V£  of  theories 
(cf.  [17],  [10],  [2])  for  V  is  obtained  from  V  by  iterating  the  consistency  assumptions  along 
the  Church-Kleene  system  of  constructive  ordinals  a. 

We  consider  the  first  u  theories  from  the  Turing  progression. 

V0C  =  V,  Vcn+1  =  V‘  + Consist),  v:  =  \jvcn. 

n 

If  V  is  correct  with  respect  to  the  standard  model  of  arithmetic,  then  the  following  strict 
inclusions  hold: 

Vo  C  Vf  C  Vf  C  . . .  C  V£. 

Soundness  was  described  in  [8]  as  the  condition  that  “We  must  be  entirely  convinced  that 
any  proof  of  a  theorem  which  the  system  certifies  as  correct  should  indeed  be  so.”  A  straight¬ 
forward  way  to  formalize  soundness  would  be  to  assume  some  Sort  of  the  semantics  for  V,  to 
take  M  powerful  enough  to  express  the  notion  of  truth  for  the  V-formulas  and  to  establish 
inside  M.  a  formal  analogue  of  the  statement 

for  every  sentence  <p  if  p  is  provable  then  ip  is  true. 
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This  approach  would  require  a  fairly  strong  M.  In  particular,  one  needs  to  extend  the  language 
of  V  in  order  to  write  down  formulas  “<p  is  true by  the  well-known  Tarski  theorem  there  is 
no  such  formula  in  the  language  of  V  itself. 

In  fact,  soundness  of  a  verification  system  V  deals  with  the  true  values  of  formal  statements 
of  an  especially  simple  type,  namely  provable  Ai  sentences  [£]</>. 

4.1  Theorem. 

1.  The  following  conditions  are  equivalent:  flj  V  h  [%  implies  [£]<£>  is  true;  b)  V 
is  consistent 

2 .  V  suffices  to  establish  L 

Proof.  If  la  then  the  false  sentences  of  the  kind  \tj<p  are  not  provable  in  V,  therefore 

V  is  consistent.  Suppose  lb  and  let  V  I”  If  were  false,  then  V  I - 1%,  by  Ai 

completeness  of  V.  This  leads  to  a  contradiction  in  V. 

2.  The  straightforward  formalization  of  the  proof  of  1  with  the  use  of  provable  Ai  com¬ 
pleteness  of  V. 

◄ 


4.2  Corollary.  Simple  consistency  of  V  is  necessary  and  sufficient  for  soundness  of  a 
verification  system  V. 

Now  we  will  figure  out  what  metatheory  can  establish  implicit  stability. 

4.3  Definition.  by  “V  is  stable”  we  understand  the  V-formula  which  is  the  natural 
formalization  of  the  stability  property  of  V.  By  “implicit  reflection  rule  is  admissible  in 
V” ,  or  equivalently 

Vx(naa; -►□£), 

we  mean  the  natural  formalization  in  the  language  of  V  of  the  property  that  IRR(V)  is 
admissible  in  V. 


4.4  Theorem.  V  h  “V  is  stable”  “implicit  reflection  rule  is  admissible  in  V” 

Proof.  The  straightforward  (though  delicate)  formalization  of  the  proof  of  Theorem  3.7. 

◄ 

4.5  Theorem.  Implicit  stability  of  an  u -consistent  verification  system  is  not  provable  in 
this  system . 
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Proof.  By  Theorem  4.4,  implicit  stability  is  provable  in  V  iff  V  b  Vx(ddx  — y  Dx).  Let  x  is 
the  code  of  X.  Then  V  b  □□-L— >•  DX.  By  Lob’s  theorem,  V  b  DX,  which  is  impossible  for  an 
^-consistent  V. 

◄ 

It  follows  from  the  above  that  the  minimal  metatheory  for  soundness  and  implicit  stability 
is 

Ai  =  V  +  Consis(V)  +  Vx(ODx  -4  Dx). 

4.6  Theorem.  If  V  is  correct  with  respect  to  the  standard  model  of  arithmetic  then  the 
metatheory  for  soundness  and  implicit  stability  strictly  subsumes  the  first  u>  steps  of  the  Turing 
progression. 

Proof.  In  order  to  establish  C  Ai  consider  the  formulas  m°X  =  _L,  □n+1_L  =  □  (□nX). 
First  of  all  we  note  that  under  the  assumptions  made  about  V  the  formula  Consis(V^)  is 
provably  equivalent  in  V  to  -,□"+!  J_  (cf.  [2]).  Indeed,  Consts(Vo)  is  Consis(V),  i.e.  -.DX. 
Then  Const's(Vi)  is  a  formula  stating  that  V  +  Consis(V)  I /  X,  i.e.  V  +  ->DX  if  X.  This  is 
equivalent  to  V  I f  -iOX  -4  X  and  V  I f  Therefore,  Consis{Vf)  is  equivalent  to  -lOQX. 

Similar  argument  works  for  n  =  2, 3, 4, . . .. 

Now  we  show  how  to  derive  all  -iCIInX,  n  =  1,2,3, ...  in  Ai.  The  case  n  =  1  is  covered 
by  the  assumption  that  Ai  b  Const's(V),  which  is  equivalent  to  Ai  I — iDX,  or  Ai  b  DX— >X 
For  n  =  2  put  x  =  X  in  Vx(DDx  -4  Dx).  Then  Ai  b  -4  DX.  Since  we  have  already 
had  Ai  b  OX— )-X,  we  conclude  that  Ai  b  DDX  -4  X,  i.e.  Ai  I — iDDX.  A  similar  argument 
works  for  n  =  3, 4, 5, _ Thus 

VCWCA4. 

Now  we  will  check  that  M.  Suppose 

b  Const's (V)  A  Vx(DDx  -4  Dx). 

By  the  compactness  argument,  there  is  a  natural  number  n  such  that 

V£  b  Consis(V )  A  Vx(DDx  -4  Dx). 

Since  C  Ai,  At  proves  the  consistency  of  V£.  Therefore 

V*  b  Consist), 

which  is  impossible  by  the  second  Godel  incompleteness  theorem  for  V£. 

◄ 
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5  Metamat hematical  cost  of  implicit  reflection 

In  an  ^-consistent  verification  system  V  the  rule  of  implicit  reflection  IRR(V )  is  admissible, 
be.  V  h  Ocp  yields  V  H  <p  for  any  formula  <p.  The  most  simple  formalization  of  the  admissibility 
property  is  the  scheme  □□<£>— >□<£>,  where  Chf)  stands  for  the  formula  of  provability  of  ^  in  V. 
A  general  procedure  of  incorporating  implicit  reflection  rule  into  a  verification  system  V  may 
be  presented  by  the  following  reflection  tower  of  extensions  of  V  (cf.  [12],  [1],  [11]): 

V0r  =  V,  Va+i  —  +  IRR{yra ),  VjJ  =  Vp  for  a  limit  ordinal  y. 

For  the  sake  of  simplicity  we  assume  in  this  section  that  V  is  sound  with  respect  to  the 
standard  model  of  arithmetic. 

In  this  section  we  will  try  to  figure  out  what  natural  metatheory  is  able  to  establish  the 
admissibility  of  all  the  reflection  rules  from  the  reflection  tower. 

5.1  Definition.  Implicit  reflection  principle  IRP(V )  for  a  given  system  V  is  the  scheme  of 
formulas 

{□<£— |  (p  is  a  sentence  ofV}. 

Let  us  consider  Feferman(s  progression  of  extensions  of  V  by  the  implicit  reflection  principles 

([10]): 

Vq  =  V,  Vpa+1  =  VP  +  IRP(VP),  for  a  limit  ordinal  7. 

The  system  Vf  proves  admissibility  of  implicit  reflection  in  Vq,  i.e.  the  scheme  of  formulas 
UUip  — )■  Dip.  In  addition  Vp  C  Vf,  since  every  instance  of  the  rule  in  a  proof  in  Vf 

can  be  emulated  by  the  axiom  a<p-><p.  Moreover,  the  inclusion  Vf  C  Vf  can  be  established 
in  V.  Iterating  this  argument  one  can  show  that  Vp+1  is  the  theory  capable  of  establishing 
admissibility  of  the  implicit  reflection  rule  for  V£. 

How  bad  really  is  the  reflection  tower  for  V?  The  natural  metatheory  capable  of  verifying  the 
whole  reflection  tower  is  the  limit  of  Feferman’s  progression  Vp  for  all  constructive  ordinals 
a. 


5.2  Proposition.  ([10])  The  limit  of  Vp  for  all  constructive  ordinals  a  equals 

V  +  all  true  Hi -sentences. 


It  follows  from  the  above  that  the  natural  metatheory  for  the  reflection  tower  is  not  com- 
putably  enumerable,  and  could  not  possibly  be  verified  by  any  sound  mathematical  means.  It 
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contains,  for  example,  the  consistency  statements  for  all  consistent  axiomatic  theories,  among 
them  Consis(ZE)  (provided  ZT  is  consistent). 

In  the  next  section  we  describe  explicit  reflection,  which  is  verifiable  by  means  of  the  system 
itself  and  thus  circumvents  the  reflection  tower. 

6  Explicit  reflection  for  verification  systems 

An  alternative  way  to  represent  provability  in  a  logical  setting  has  been  developed  in  [3]  -  [6]. 
The  key  idea  of  this  approach  is  to  represent  provability  by  a  certain  family  of  proof  operators 
(i.e.  Proof  (t,  r<p~'))  with  an  appropriate  set  of  ground  proof  terms  t).  As  it  was  shown  in 
[5]  and  [6],  every  propositional  property  of  the  provability  operator  can  be  represented  by  the 
family  of  proof  operators  with  a  certain  class  of  finitely  generated  terms.  It  is  easy  to  notice 
that  the  following  explicit  formalization  theorem  holds:  For  every  sentence  <p  such  that  VI -ip 
there  is  a  ground  term  t  of  V  such  that  V  h 

6.1  Definition.  The  explicit  reflection  principle  ERP(V )  is  the  scheme  of  formulas 

for  all  sentences  <p  and  all  ground  terms  t. 


6.2  Lemma.  (Derivability  of  explicit  reflection  [3]).  For  any  ground  term  t  and  formula  <p 

V  h 


Proof.  We  give  a  constructive  proof  of  this  lemma  which  delivers  an  algorithm  for  con¬ 
structing  a  derivation  of  [t]  <p <p  in  V  given  <p  and  t.  First  of  all,  by  the  proof  checking 
procedure  we  calculate  the  truth  value  of  If  this  value  is  TRUE,  then  the  ground  term 
t  represents  a  derivation  of  ip,  from  which  by  a  straightforward  reconstruction,  we  obtain  the 
proof  of  \tjip  — >•  <p.  If  the  proof  checker  on  |tj<^  returns  FALSE,  then  by  the  corresponding 
procedure  mentioned  in  2.1,  we  get  the  proof  of  ->p]]<p  in  V.  From  that  by  the  straightforward 
transformation,  we  get  the  proof  of  — ¥<p. 

◄ 


6.3  Corollary.  There  is  an  algorithm  which  given  a  formula  ip  and  a  ground  term  t  returns 
the  ground  term  p  such  that 

Vh  faMM  ¥>-►¥>)• 


6.4  Definition.  The  explicit  reflection  rule  ERR(V)  is  the  rule  \t\<p/<p  for  all  ground  terms 
t  and  all  sentences  <p. 
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6.5  Definition*  A  rule  T/<p  is  explicitly  verifiable  in  V  if  there  is  a  total  computable  function 

/  such  that  V  I-  [/(y)]<p. 

It  is  clear  from  the  definitions  that  “explicitly  verifiable”  implies  “implicitly  verifiable”. 

6.6  Theorem.  The  explicit  reflection  rule  ERR(V)  is  explicitly  verifiable  in  V. 

Proof.  Let  be  a  total  and  computable  “application”  function  on  proof  codes,  specified 
by  the  condition 

V  b  ([yj<p-*[x  •  y}^) 

(cf.  [5],  [6]).  By  6.3,  V  b  [pKMv^vO  for  some  ground  term  p.  Therefore, 

vb  ([yM%~>[p-y]^)- 


◄ 


6.7  Corollary.  The  explicit  reflection  rule  ERR(V)  is  admissible  for  every  verification 
system  V. 

6.8  Definition.  A  rule  of  inference  included  in  the  description  of  a  system  V  is  called  an 
internal  rule  of  V. 


6.9  Lemma.  Every  internal  rule  is  explicitly  verifiable. 

Proof.  There  is  a  straightforward  function  behind  every  internal  rule  A/'tp  which  calculates 
the  code  of  a  proof  of  ip  given  the  codes  of  proofs  of  A.  A  natural  formalization  of  this  function 
in  V  gives  a  term  /  such  that  V  b  |y]A->|[/(y)J^. 

◄ 


6.10  Definition.  An  extension  V*  of  V  is  verifiably  equivalent  to  V  if  there  is  a  computable 
function  g  of  V  such  that  V  b  |zj where  \x\ip  stands  for  the  formula  “z  is  a 
proof  of  ip  in  V'.  In  other  words,  for  a  verifiably  equivalent  extension  V'  there  is  an  algorithm 
that  transforms  proofs  in  V'  into  proofs  of  the  same  facts  in  V. 


6.11  Theorem.  An  extension  of  a  verification  system  by  an  explicitly  verified  rule  is 
verifiably  equivalent  to  the  original  system. 
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Proof.  Let  a  rule  Tfy>  be  explicitly  verifiable  in  a  verification,  system  V,  i.e.  there  is  a 
computable  function  /  such  that  V  b  [y]r-4[/(y)l<^.  Let  V'  be  V  +  T/<p.  The  function  g(x) 
works  as  follows.  It  travels  along  the  proof  tree  in  coded  by  x  and  calculates  the  code  of 
a  proof  tree  in  V  of  the  same  sentence  (sequent).  If  the  observed  node  is  a  leaf  node,  then  it 
corresponds  to  an  axiom  of  V'T  which  is  an  axiom  of  V  as  well.  In  this  situation  g  does  not 
change  the  the  proof  at  all. 

Let  the  observed  node  correspond  to  an  application  of  an  internal  rule  A/0,  and  let  u  be 
the  values  of  g  on  the  predecessors  of  the  current  node,  i.e.  V  b  [u|A.  By  lemma  6.9,  there 
is  a  computable  function  h  such  that  V  b  [y|A  -4  \h(yj\0.  Substituting  u  for  y  we  derive 
lh(u)}0  in  V.  Let  g  map  the  observed  node  to  h(u). 

Let  the  observed  node  correspond  to  an  application  of  the  new  rule  T / </?,  and  let  v  be  the 
values  of  g  on  the  predecessors  of  this  node,  i.e.  V  b  |[u|r.  By  the  conditions  of  the  theorem 
V  b  Mr  -4  Substitute  v’s  for  y’s,  conclude  that  V  b  [/(u)Jy>  and  let  g  map  the 

observed  node  to  /(u). 

Eventually,  at  the  root  node  of  the  V'-proof  (coded  by)  x  the  function  g  returns  the  code 
of  a  V-proof  of  the  formula  (sequent)  previously  proven  by  x. 

◄ 


7  Practical  suggestions 

As  one  can  see,  explicit  reflection  avoids  some  of  the  troubles  inherent  in  implicit  reflection. 
Here  is  the  list  of  practical  suggestions  for  the  designers  of  verification  systems.  Explicit 
reflection  says  nothing  new  for  nonextendable  systems  without  reflection  mechanism.  In  such 
a  system  the  explicit  reflection  rule  has  already  been  used  by  default  when  one  concludes  that 
V  has  verified  a  fact  <p  given  that  V  I-  [%  for  some  proof  code  t. 

There  are  two  classes  of  systems  where  explicit  reflection  can  bring  a  significant  improve¬ 
ment. 

1.  Verification  systems  with  extensibility  but  without  special  built-in  reflection 
mechanisms.  Here  the  use  of  explicit  reflection  may  be  twofold.  Firstly,  it  appears  in 
the  assertion  insertion  mode  (cf.  [8]),  when  it  is  established  that  V  I-  \i\ip  and  then  is 
stored  as  a  verified  fact  (i.e.  a  new  axiom)  of  V.  We  have  nothing  specific  to  add  here, 
since  this  mode  as  presented  above  (and  in  [8])  already  agrees  with  the  explicit  reflection 
recommendations.  Secondly,  the  explicit  reflection  appears  in  the  rule  insertion  mode ,  when 
TIV  is  verified  in  V  and  then  added  to  V  as  a  new  inference  rule.  The  explicit  reflection 
suggests  verifying  the  rule  Y/ip  in  V  explicitly,  i.e.  by  constructing  a  computable  function  / 
such  that  V  h  [j/JT  -4  [/(y)Jy’-  By  doing  this  we  guarantee  that  the  resulting  extension  is 
verified  in  the  old  system  without  any  hidden  metaassumptions. 

If  the  rule  insertion  mode  uses  explicit  verification  only,  then  there  is  no  need  to 
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have  a  special  built-in  reflection  mechanism:  provable  stability  of  the  system  is 
preserved  by  explicit  verification  (Theorem  6.11). 

Interestingly  enough,  there  are  substantial  classes  of  verification  systems  where  the  implicit 
verification  in  a  certain  sense  yields  the  explicit  one.  For  example,  in  traditional  intuitionistic 
systems  V  I-  DT— *■□</>  implies  V  H  [yjT  — >■  [/(y)J<*?  for  some  computable  function  /  (cf.  [16]). 
However,  the  proof  of  this  fact  itself  cannot  be  formalized  in  V  and  its  use  in  the  rule  insertion 
mode  leads  to  some  sort  of  a  reflection  tower.  Therefore,  ever  for  the  constructive  systems 
the  practical  suggestion  is  to  use  the  explicit  verification,  i.e.  to  establish  V  I-  |[y]|r-*|[/(y)]]^ 
directly  rather  than  to  prove  V  h  DT  — >■  □  <p  and  then  to  apply  a  general  theorem  of  obtaining 
the  explicit  verification  from  the  implicit  one;  this  involves  some  hidden  and  potentially  high 
metamathematical  costs. 

2.  Advanced  systems  with  built-in  reflection  mechanisms.  There  is  a  number 
of  systems  which  have  or  intend  to  have  such  mechanisms.  The  paper  [11]  mentions  several 
of  them:  FOL,  NQTHM,  HOL  and  Nuprl.  At  least  one  more  is  coming:  MetaPrl  at 
Cornell  University.  Probably  more  systems  will  join  this  set  since  reflection  arguments  are 
surprisingly  often  used  in  mathematical  and  common  reasoning.  The  existing  implicit  reflec¬ 
tion  mechanisms  in  these  systems  lead  to  unnecessary  metamathematical  costs  (cf.  Section 
5).  For  such  systems  the  idea  of  having  explicit  reflection  (perhaps,  along  with  the  implicit 
one)  might  be  seriously  considered,  because  the  explicit  reflection  can  be  added  to  a  system 
without  any  extra  metamathematical  assumptions  at  all  (Theorem  6.6). 

Right  now  within  the  Nuprl  research  group  at  Cornell  University  we  are  exploring  the 
possibility  to  build  explicit  reflection  mechanisms  in  the  new  generation  of  Nuprl  systems. 
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